Mobile Device Penetration Testing

With Core Impact Pro’s Mobile Device Penetration Testing capabilities, you can demonstrate the exploitability of iPhone®, Android™ and BlackBerry® smart phones using the same attack techniques employed by criminals today.

Attack and Penetration: Exploit Devices Using Real-World Techniques

One of the most effective ways for an attacker to take control of a mobile device is by getting the user, or the device itself, to install a malicious application. During phishing tests, you trick the user to clicking on a link and triggering the attack. For Wi-Fi tests, Impact delivers attacks in response to data requests (fake AP attacks) and inserts them into existing traffic (MITM attacks).

Attack delivery

Email phishing attacks are launched directly from Impact

SMS text phishing attacks are launched from Impact via an email-to-SMS gateway service

Device penetration

Impact’s mobile attacks are packaged as applications that attempt to run locally on the mobile device. In addition, some attacks attempt to leverage known vulnerabilities in the device’s operating system or built-in components, leveraging those weaknesses to run the application. All Impact attack capabilities are developed and tested in-house, are designed to maximize the target stability and integrity, and are updated as new vulnerabilities emerge and attackers hone their techniques.

Android Agent and Post Exploitation Modules

Core Impact Pro has a Java based, HTTP back communication channel Android Agent. This agent can be used standalone for phishing attacks, packed as an Android application, or as the communication channel for a post exploitation facilitator when exploiting mobile vulnerabilities. Taking advantage of our Wi-Fi Fake Access Point functionality, we have included an attack for the Android WebView addJavascriptInterface() vulnerability, modifying device traffic joined to our Fake AP in real-time and installing an Android Agent on those vulnerable devices. Our Android Agent functionality currently supports the following capabilities:

Shell access

Get/Send SMS

Make a phone call

Contacts CRUD (Create Read Update Delete)

Calls log info

Geo-location/line number info

Upload/Download files

Evidence Retrieval: Demonstrate the Implications of a Mobile Device Breach

With Core Impact Pro, you not only can demonstrate how mobile devices in your environment can be compromised, but also reveal how attackers can access and manipulate device data to obtain your organization’s intellectual property and potentially defraud, defame or blackmail its end-users.

Extract data

Once you compromise a tested device, Impact Pro enables you to extract data from the device just as an attacker would. Impact enables you to extract the following data types: